For those who are newer to pentesting / forensics, or for those who just like to keep tabs on what goes on in the wild, I thought I'd writeup a quickie of the little javascript I found, during a pentest, the other evening. Now, this is no major, "heavy-duty" code, nor is it very complicated. But it goes to show how even simple tricks can get you past both host- and server-based antivirus scans, malware detection utilities, etc.

So without further adieu, here's the skinny!

I was asked to go into a company and forensically help them find why they were being flagged by Google and safeSearch. Then, once I found the issue, pentest their webservers, to see if I could determine how the problem got there, to begin with.

I won't go into full details on the pentest, but suffice to say the company's "static" html homepage, which they assumed was safe, was in a subfolder to one of their OTHER domains, on the same hosting provider's server. The other domain had php vulnerabilities, which would allow an attacker full access, to all folders beneath that level. (ie - OOPS!) So it was an easy task, by an attacker, to manipulate the website.

Anyway, pentest aside, the issue I found on their static html pages was a rather simplistic one. There were 3 javascripts appended to the bottom of each page. The javascripts each pointed out to sites known to be staging points for the 'fakeAV' malware, and thus, their site got flagged.

The javascripts are below. I first found them by running BURP to watch the calls from the website, as I traversed the pages, then once I spotted the referring page on the customer site, I looked at the source code.

SCRIPTS (as they appeared in the page source, looking suspicious to anyone with half-a-clue, but otherwise, not obviously malicious to a normal person):